From 8b81e9d213a00fa45a8569d23b8fee21458458dc Mon Sep 17 00:00:00 2001 From: Elizabeth Krumbach Date: Mon, 5 Aug 2013 10:24:16 -0700 Subject: [PATCH] Add httpd ssl support to git.openstack.org Certificates have been added to hiera, now adding the support for https in a new apache file. Change-Id: I8447d60a15779b103556e53f04accf671dbf4843 --- manifests/site.pp | 7 ++- modules/cgit/files/cgit.conf | 4 -- modules/cgit/manifests/init.pp | 51 +++++++++++++++++++--- modules/cgit/templates/git.vhost.erb | 39 +++++++++++++++++ modules/openstack_project/files/git/cgitrc | 2 +- modules/openstack_project/manifests/git.pp | 14 +++++- 6 files changed, 104 insertions(+), 13 deletions(-) delete mode 100644 modules/cgit/files/cgit.conf create mode 100644 modules/cgit/templates/git.vhost.erb diff --git a/manifests/site.pp b/manifests/site.pp index 4cf935c984..7da4da86a9 100644 --- a/manifests/site.pp +++ b/manifests/site.pp @@ -288,8 +288,11 @@ node /^elasticsearch\d*\.openstack\.org$/ { # A CentOS machine to run cgit and git daemon. node 'git.openstack.org' { class { 'openstack_project::git': - sysadmins => hiera('sysadmins'), - git_gerrit_ssh_key => hiera('gerrit_ssh_rsa_pubkey_contents'), + sysadmins => hiera('sysadmins'), + git_gerrit_ssh_key => hiera('gerrit_ssh_rsa_pubkey_contents'), + ssl_cert_file_contents => hiera('git_ssl_cert_file_contents'), + ssl_key_file_contents => hiera('git_ssl_key_file_contents'), + ssl_chain_file_contents => hiera('git_ssl_chain_file_contents'), } } diff --git a/modules/cgit/files/cgit.conf b/modules/cgit/files/cgit.conf deleted file mode 100644 index 3ca820f689..0000000000 --- a/modules/cgit/files/cgit.conf +++ /dev/null @@ -1,4 +0,0 @@ -Alias /cgit-data /usr/share/cgit -ScriptAlias /cgit /var/www/cgi-bin/cgit -RewriteEngine On -RewriteRule ^/$ /cgit [R] diff --git a/modules/cgit/manifests/init.pp b/modules/cgit/manifests/init.pp index 5279a31df2..9215a861ec 100644 --- a/modules/cgit/manifests/init.pp +++ b/modules/cgit/manifests/init.pp @@ -14,7 +14,16 @@ # # Class: cgit # -class cgit { +class cgit( + $vhost_name = $::fqdn, + $serveradmin = "webmaster@${::fqdn}", + $ssl_cert_file = '', + $ssl_key_file = '', + $ssl_chain_file = '', + $ssl_cert_file_contents = '', # If left empty puppet will not create file. + $ssl_key_file_contents = '', # If left empty puppet will not create file. + $ssl_chain_file_contents = '', # If left empty puppet will not create file. +) { include apache @@ -66,10 +75,12 @@ class cgit { value => on } - file { '/etc/httpd/conf.d/cgit.conf': - ensure => present, - source => 'puppet:///modules/cgit/cgit.conf', - mode => '0644' + apache::vhost { $vhost_name: + port => 443, + docroot => 'MEANINGLESS ARGUMENT', + priority => '50', + template => 'cgit/git.vhost.erb', + ssl => true, } file { '/etc/xinetd.d/git': @@ -84,4 +95,34 @@ class cgit { ensure => running, subscribe => File['/etc/xinetd.d/git'], } + + if $ssl_cert_file_contents != '' { + file { $ssl_cert_file: + owner => 'root', + group => 'root', + mode => '0640', + content => $ssl_cert_file_contents, + before => Apache::Vhost[$vhost_name], + } + } + + if $ssl_key_file_contents != '' { + file { $ssl_key_file: + owner => 'root', + group => 'root', + mode => '0640', + content => $ssl_key_file_contents, + before => Apache::Vhost[$vhost_name], + } + } + + if $ssl_chain_file_contents != '' { + file { $ssl_chain_file: + owner => 'root', + group => 'root', + mode => '0640', + content => $ssl_chain_file_contents, + before => Apache::Vhost[$vhost_name], + } + } } diff --git a/modules/cgit/templates/git.vhost.erb b/modules/cgit/templates/git.vhost.erb new file mode 100644 index 0000000000..91dc5eb1c2 --- /dev/null +++ b/modules/cgit/templates/git.vhost.erb @@ -0,0 +1,39 @@ +:80> + ServerName <%= scope.lookupvar("cgit::vhost_name") %> + ServerAdmin <%= scope.lookupvar("cgit::serveradmin") %> + + ErrorLog ${APACHE_LOG_DIR}/git-error.log + + LogLevel warn + + CustomLog ${APACHE_LOG_DIR}/git-access.log combined + + Redirect / https://<%= scope.lookupvar("cgit::vhost_name") %>/ + + + + +:443> + ServerName <%= scope.lookupvar("cgit::vhost_name") %> + ServerAdmin <%= scope.lookupvar("cgit::serveradmin") %> + + Alias /cgit-data /usr/share/cgit + ScriptAlias /cgit /var/www/cgi-bin/cgit + RewriteEngine On + RewriteRule ^/$ /cgit [R] + + ErrorLog ${APACHE_LOG_DIR}/git-error.log + + LogLevel warn + + CustomLog ${APACHE_LOG_DIR}/git-access.log combined + + SSLEngine on + + SSLCertificateFile <%= scope.lookupvar("cgit::ssl_cert_file") %> + SSLCertificateKeyFile <%= scope.lookupvar("cgit::ssl_key_file") %> +<% if scope.lookupvar("cgit::ssl_chain_file") != "" %> + SSLCertificateChainFile <%= scope.lookupvar("cgit::ssl_chain_file") %> +<% end %> + + diff --git a/modules/openstack_project/files/git/cgitrc b/modules/openstack_project/files/git/cgitrc index db14123036..937c7121cd 100644 --- a/modules/openstack_project/files/git/cgitrc +++ b/modules/openstack_project/files/git/cgitrc @@ -6,7 +6,7 @@ cache-size=0 # Specify some default clone prefixes -clone-prefix=git://git.openstack.org http://git.openstack.org/cgit +clone-prefix=git://git.openstack.org https://git.openstack.org/cgit # Specify the css url css=/cgit-data/cgit.css diff --git a/modules/openstack_project/manifests/git.pp b/modules/openstack_project/manifests/git.pp index 71bdd336a9..04d0197649 100644 --- a/modules/openstack_project/manifests/git.pp +++ b/modules/openstack_project/manifests/git.pp @@ -18,9 +18,12 @@ class openstack_project::git ( $sysadmins = [], $git_gerrit_ssh_key = '', + $ssl_cert_file_contents = '', + $ssl_key_file_contents = '', + $ssl_chain_file_contents = '', ) { class { 'openstack_project::server': - iptables_public_tcp_ports => [80, 9418], + iptables_public_tcp_ports => [80, 443, 9418], sysadmins => $sysadmins, } @@ -28,6 +31,15 @@ class openstack_project::git ( include jeepyb include pip + class { 'cgit': + ssl_cert_file => '/etc/ssl/certs/git.openstack.org.pem', + ssl_key_file => '/etc/ssl/private/git.openstack.org.key', + ssl_chain_file => '/etc/ssl/certs/intermediate.pem', + ssl_cert_file_contents => $ssl_cert_file_contents, + ssl_key_file_contents => $ssl_key_file_contents, + ssl_chain_file_contents => $ssl_chain_file_contents, + } + # We don't actually use these, but jeepyb requires them. $local_git_dir = '/var/lib/git' $ssh_project_key = ''